Don't compute the Kronecker symbol in ec_GFp_simple_set_compressed_coordinates.
If y is zero, there is no point with odd y, so the odd bit may not be set, hence EC_R_INVALID_COMPRESSION_BIT. This code instead computed the Kronecker symbol of x and changed the error code to EC_R_INVALID_COMPRESSED_POINT if not a square. As the comment says, this was (intended to be) unreachable. But it seems x was a typo for tmp1. It dates to before upstream's 6fb60a84dd1ec81953917e0444dab50186617432, when BN_mod_sqrt gave garbage if its input was not square. Now it emits BN_R_NOT_A_SQUARE. Upstream's 48fe4d6233ac2d60745742a27f820dd88bc6689d then mapped BN_R_NOT_A_SQUARE to EC_R_INVALID_COMPRESSED_POINT. Change-Id: Id9e02fa1c154b61cc0c3a768c9cfe6bd9674c378 Reviewed-on: https://boringssl-review.googlesource.com/12463 Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
David Benjamin
Adam Langley
parent
bd691756f2
commit
14ebb4ff27
@ -381,19 +381,7 @@ int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group,
|
|||||||
|
|
||||||
if (y_bit != BN_is_odd(y)) {
|
if (y_bit != BN_is_odd(y)) {
|
||||||
if (BN_is_zero(y)) {
|
if (BN_is_zero(y)) {
|
||||||
int kron;
|
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COMPRESSION_BIT);
|
||||||
|
|
||||||
kron = BN_kronecker(x, &group->field, ctx);
|
|
||||||
if (kron == -2) {
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (kron == 1) {
|
|
||||||
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COMPRESSION_BIT);
|
|
||||||
} else {
|
|
||||||
/* BN_mod_sqrt() should have cought this error (not a square) */
|
|
||||||
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COMPRESSED_POINT);
|
|
||||||
}
|
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
if (!BN_usub(y, &group->field, y)) {
|
if (!BN_usub(y, &group->field, y)) {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user